Source Address Spoofing

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Forged addresses aid Internet attacks. Here's what to do about them.

by Rik Farrow

Network Magazine

Networks rely on the truth. Without accurate information, networks work poorly, if at all. However, there are those who use lies to deceive networks and the systems attached to them. These lies can take many forms, such as source address spoofing, but lie detectors exist to help you spot falsehoods and keep your network secure.

Source address spoofing alters a packet's return address so that the packet appears to have come from a source other than the sender. An attacker uses source address spoofing for two reasons: to gain access to resources that only accept requests from specific source addresses, or to hide the source of an attack.

Attackers have used this technique for many years. In fact, the Distributed Denial of Service (DDoS) attacks launched against commercial sites in February 2000 used source address spoofing. Other forms of attack also employ this technique, but most of them would prove unsuccessful today—except for those involving SNMP.

Source address spoofing is often misunderstood, and therefore a cause for concern. Without preventative measures in place, you could become a victim of source addressing spoofing. (A more likely scenario would turn you into an unknowing source of a source-address-spoofing attack.)

On This Page

Local And Remote

While relying on source addresses to protect services is not a good idea, software that is oriented toward the source of requests is still common. For example, SNMP—a security disaster—often attempts to protect agents on network devices or systems by only accepting requests from specific source addresses. Also, UNIX r commands, the Network File System (NFS), Server Message Block (SMB), and TCP wrappers all include the source address (or system name, in the case of NFS) as part of the access control checks.

These services are especially vulnerable to local attacks in unswitched networks. This is because it is easy for an attacker to sniff packets in an unswitched network, and sniffing contributes to the success of most attacks. On the other hand, switched networks make it difficult (if not impossible) to sniff packets.

SNMP is a good example. Suppose SNMP agents have been configured to only respond to requests for information or changing variables from a server at the address 10.2.2.98. Using netcat, a tool for sending or receiving IP packets, an attacker can easily spoof a request from 10.2.2.98 and send it to the agent of his or her choice.

When the agent responds, it will send the response back to 10.2.2.98. The real manager will ignore the response, as it won't correspond to any outstanding request. The attacker, however, will need to sniff the response off the network for the attack to succeed, as the response was routed back to the real SNMP manager.

Even if the attacker cannot sniff the response, the attack might still succeed, as variables can be successfully changed (via an SNMP set command) without seeing the response. If the attacker shares the same subnet with the manager, the attacker might use Reverse Address Resolution Protocol (RARP) to masquerade as the manager of the IP address.

Remote attacks that seek access via source address spoofing must also have some way of seeing the return packets. Keep in mind that when a remote attacker spoofs some other network's source address, the responses will be routed to that other network, and the attacker will not receive those packets. Of course, the attacker might be able to sniff along the route to the other network. This type of attack, which requires breaking into systems located within ISPs or other intermediate networks, has been successfully carried out.

Source Route

Another old trick that may still work involves source routing. Source routing is an IP option used today mainly by network managers to check connectivity. Normally, when an IP packet leaves a system, its path is controlled by the routers and their current configuration. Source routing provides a means to override the control of the routers.

Source routing can be strict or loose. Strict source routing lets a manager specify the path through all the routers to the destination. Return responses use the same path in reverse. Loose source routing lets managers specify an address that the packet must pass through on its way to the destination. It is loose source routing that aids an attacker.

A remote attacker might seek to access a UNIX system protected with TCP wrappers, or a Windows NT Internet Information Server (IIS) protected by an access list based on source addresses. If the attacker simply spoofs one of the permitted source addresses, the attacker may never get a response. However, if the attacker both spoofs an address and sets the loose-source-routing option to force the response to return to the attacker's network, the attack can succeed.

The simplest defense against loose source routing is to not permit these packets to enter (or leave) the network. Just about any firewall will block any packet that has source routing enabled by default. You can also configure routers to block packets with source routing. TCP wrappers and many UNIX OSs can also block source-routed packets.

An attacker might also attempt "blind spoofing" to gain access to a system that "protects" itself by checking source addresses. In blind spoofing, the attacker may not need to see the responses for the attack to be successful. The first known version of this attack was launched against security specialist Tsutomu Shimomura in 1994. Shimomura was using TCP wrappers to protect his UNIX system from unauthorized access. However, the attacker succeeded by guessing the sequence numbers used in the response packets during the attack, which enabled the attack to change the configuration of the targeted system.

Sequence number attacks have become much less likely because OS vendors have changed the way initial sequence numbers are generated. The old way was to add a constant value to the next initial sequence number; newer mechanisms use a randomized value for the initial sequence number. (There are some constraints on this "random" value, however, to keep it from working incorrectly.)

Using the source address to authorize a network request is not safe. To improve your security, replace r commands with Secure Shell (SSH), and only use NFS and SMB with improved authentication (SMB has stronger authentication in all versions beyond Windows for Workgroups).

SNMP 1 and SNMP 2 still rely on source addresses for security. While you can block SNMP at the borders of your networks, you will remain vulnerable to SNMP-based scanning and attacks on your internal networks until SNMP 3 has been implemented and installed.

Hiding The Source

Besides spoofing source addresses for phony authentication, attackers can also spoof their own source addresses in attacks where reply packets are not important. Any network-based Denial of Service (DoS) attack fits this description because the point of the attack is not to get a response but instead to flood the target with requests.

In DoS attacks, it actually makes more sense for the attacker to spoof the source address, otherwise the attacker might wind up blocking his or her own access to the network. Spoofing source addresses also makes tracking the attack much more difficult, as the packets themselves must be traced on each network and subnet, back to the source.

Source address spoofing requires root access on UNIX systems. The attacker must have root access so that the attack software can open a "raw" network socket. Most applications use "cooked" sockets, in which the IP stack provides the necessary packet headers. A raw socket means that the application must prepare the necessary headers itself—that is, do its own cooking. This permits the attacker to put any information he or she wants in the headers, including spoofed source addresses. Note that Windows NT also supports raw sockets, so this is not just a UNIX issue.

How To Get Spoof-Proof

DoS attacks that use source address spoofing became popular in 1997. RFC 2267 was written in response to this type of attack. It suggests that ISPs practice ingress filtering (see Distributed Denial of Service Attacks, March 2000). In general terms, this means that ISPs should filter traffic and drop any packets with spoofed source addresses. In practical terms, this has proven difficult.

One problem is that many ISPs do not have the technical ability to arrange packet filtering to block packets with spoofed source addresses. Also, many complain that packet filtering reduces equipment performance. While this was true in the past, it is not so today. In the early 1990s, adding packet filtering to a Cisco Systems router could cut throughput by as much as 70 percent. Today, routers have better designs, and it is possible on some routers to block packets with spoofed source addresses with no effect on throughput at all.

For example, Cisco Express Forwarding (CEF) is an advanced IP switching technology, designed for high-performance layer-3 IP backbone switching. You can configure this by executing the following command while in configuration mode:

ip verify unicast reverse-path

A router (or a layer-3 switch) bases routing decisions on the destination address and the routing information. Using the same mechanism, a router can examine the source address and determine if it came from the correct interface. (The route to the source leads back the way it arrived.)

If the route is not the same, the source address must be spoofed, unless asymmetric routes are being used. Asymmetric routes mean that there is more than one way to reach the destination. If asymmetric routing is not in use, enabling this facility will block all packets with spoofed source addresses.

Linux and Berkeley Software Distribution (BSD) system kernels also support a similar facility. If you are using a Linux or BSD system as a router or terminal server, either can be configured to block packets with spoofed source addresses (merely by setting a kernel parameter). In Linux systems, you can enable this mechanism by echoing "2" to each rp_filter name found in the /proc file system (/proc/sys/net/ ipv4/conf/*/rp_filter).

Terminal servers can also block packets with spoofed source addresses. Some terminal servers do this by default. Others can do this by applying an access control list to the Ethernet connection coming from the terminal server (rather than on each incoming modem port). Reports posted to SecurityFocus.com's Bugtraq archives indicated no performance loss at all: CPU usage did increase, but it remained well below 50 percent utilization.

Tell Me No Lies

The simple solution is to block packets with obviously spoofed source addresses from entering your network. Most firewalls do this by default. If you use packet filters, block packets as they enter the external interface if they have internal source addresses, private network addresses, or the local host address (127/8).

Source address spoofing does not need to be a problem—mechanisms for thwarting it abound. Take the time to be a good Netizen and block these packets at the border of your network. Stop lying packets at the source.

Rik Farrow is an independent security consultant. His Web site, http://www.spirit.com, contains security links and information about network and computer security courses. He can be reached at mailto: rik@spirit.com.